A gremlin trying to spoil Christmas has released a Melissa-like virus capable of reformatting the hard drive of a computer.
The W97M.Prilissa.A. virus uses Microsoft's Outlook to send infected documents via e-mail, much like the well-known Melissa virus, and in addition uses the system date to reformat users' C drives on Dec. 25, antivirus software experts said on Monday.
The virus has the potential to wipe out everything on a computer's hard disk drive, but most antivirus technology can detect and clean up the virus, Susan Orbuch, a spokeswoman for antivirus software vendor Trend Micro, said on Monday.
"It's Melissa packing a punch," she said. "But the good news is we are prepared for it." Trend Micro and other antivirus software companies now market rules-based or heuristic scanning devices that detect such behavior, she added.
The text of the virus message reads, "This document is very Important and you've GOT to read this!!!" When the document is opened, the virus disables virus protection security settings, conversion confirmation and users' recently opened file list, Orbuch said.
The W97M.Prilissa.A. virus will show the following text in the message box when users turn on their machines: "Vine... Vide... Vice... Moslem Power Never End...You Dare Rise Against Me...The Human Era is Over, The CyberNET Era Has Come!!!"
The virus then displays several colored shapes on top of the opened document, overwrites the AUTOEXEC.BAT file to format the C drive, and then displays another message when the system is rebooted: "Vine...Vide...Vice...Moslem Power Never End...Your Computer Have Just Been Terminated By -= CyberNET =- Virus!!"
The Christmas Day (Dec. 25) trigger date for the virus and the virulent language of its messages seem timed to gain maximum attention, said Vincent Weafer, director of Symantec's AntiVirus Research Center in Los Angeles.
"This is somebody trying to get their virus known," Weafer said. "It looks like it's targeted against home-users because companies will not be working Christmas Day.
"They must have known it's so similar to Melissa that most antivirus companies will be able to catch it, and if users are updating their virus patterns, they should be all right. It's like someone saying, 'Me Too,'" he added.
Although reports have said the virus has already impacted companies in the US, Europe and Asia, Symantec and Trend Micro said their customers have not as yet reported coming across the virus.
The holiday season and year 2000 (Y2K) concerns are putting antivirus software companies on a heightened period of alert, said Trend Micro's Orbuch. "We have designated the period from December 25 to January 15 as a time to be on guard," she said. "We think people may send messages trying to take advantage of concerns about Y2K."
In August of this year, experts announced the discovery of an earlier Windows virus also set to activate December 25.
Variously known as Win32.Kriz, Win32Kriz.3740 or Win32.Kriz.3862, the virus resembles the Chernobyl virus, which hit users in Europe and Asia earlier this year. The South Korean government, for example, said that the virus hit 244,000 PCs.
Win32.Kriz can damage files that are opened, copied and moved. On Christmas Day, the virus is set to destroy computers' Flash BIOS (basic input output system) using the same routine as found in the Chernobyl virus, a spokesman for Central Command and its Kapersky Lab research unit, said. The result is that users are unable to boot their computers properly or control the cursor.
The virus also triggers its own nasty message. "You call it religion... I'm sick and tired of your goddamn lies, lies in the name of God," it said.
Users of Symantec's Norton AntiVirus software can obtain free updates of their virus definition files for one year and get general information on Symantec's online site at http://www.sarc.com/. Trend Micro is offering free online virus scanning services and other information on its site at http://www.antivirus.com/.